• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 444
  • Last Modified:

LInux Config Files


Can anyone help me identify the appropriate Linux files to identify the following security settings on a Linux Server. I know the Solaris equivalent but require the Linux files as I'm working on a Linux Server:

" Running Network services, i.e. telnet, chargen, ftp etc (In Solaris the file is /etc/inetd.conf and /etc/pam.conf).

" Password Parameters, e.g. length, complexity etc (In IBM AIX I use /etc/security/passwd, in Solaris the file is /etc/default/password and /etc/default/profile)

" Failed root login attempts (in solaris the file is /etc/default/login)

" List of installed security patches (Solaris the file is command showrev p)

" File Systems installed / directories (solaris the file is /etc/vfstab)

" Users who can connect without a password (solaris the file is /etc/hosts.equiv)

" Users who can print through the server without a password (solaris the file is /etc/hosts.lpd)

Thanks
0
pma111
Asked:
pma111
  • 8
  • 6
  • 6
  • +1
3 Solutions
 
pma111Author Commented:
also in solaris logins -p used to show users who can login without a password, yet this doesnt seem to work on a linux server, is there an alternative command?
0
 
Kerem ERSOYPresidentCommented:
Hi,

In fact it depends on what distro of Linux do you use. Linuces comes with 2 flavors of inetd. either inetd and since it seems that you can not find the inetd.conf then your distro must be using xinetd. Or may be it was not installed by default. You can use the package manager of your distro to install it. This is  again depends on what distro you are using. Please tell me your distro so that I'll try to help.

But in general you can find information about xinetd here:

http://www.xinetd.org/
http://aplawrence.com/Basics/xinetd.html

I'm sending you information on xinetd only since you already know how to use inetd. BTW on most systems chargen etc are disabled. because of security reasons.

You can find password complexity parameters on distro defined locations.

You can find failed root l1gin attempts in /var/log/secure logs

Again installed patches will be displayed using your distro's package manager.

File systems locations are under /etc/fstab and /etc/mtab for curently mounted

/etc/hosts.equiv is teh same but since you dont have telnet most probably tyou would check your /etc/ssh/sshd_config file for configuration of ssh daemon.

/etc/hosts.lpd is there but you might need to dig in lpr files too if it is installed and active.

Cheers,
K.
0
 
woolmilkporcCommented:

1) /etc/inetd.conf OR /etc/xinetd.conf, /etc/xinted.d
2) /etc/default/passwd , /etc/shadow,  /etc/pam.d/
3) /var/log/faillog. Use faillog -u root
4) ?
5) /etc/fstab
6) 7) /etc/hosts.equiv, /etc/hosts.lpd
wmp
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
arnoldCommented:
* /etc/xinetd.conf and /etc/xinetd.d/* and /etc/pam*

* more /etc/release* or /etc/[vendor name]-release same as on solaris (more /etc/release) or rpm -qa | grep kernel.  on linux the patch depending on the vendor of the underlying OS is part of the installed package. package-majorversion-update_revision. depending on the Linux distribution you use, you could have /var/log/yum.log or other mechanisms that track the installation of packages.

/etc/fstab is the vfstab equivalent (mount works to display the information in either environment)
/etc/host.equiv remains the same
the printer part, linux users would likely use cups as a print server but /etc/hosts.lpd still might be used.
0
 
Kerem ERSOYPresidentCommented:
> also in solaris logins -p used to show users who can login without a password, yet this doesnt seem to > work on a linux server, is there an alternative command?

Don't forget that most modern linux distros come with telnet disabled by default and this is not an issue. But you ca n check the second column in /etc/shadow. If it is only a * then it measn that the user is not allowed to login. If it is a ! then it meesn that this user has not been assignad a password yet. and if it contains an encrypted password naturally it will indicate that this user has been assigned a password.

Please check your SSH configratio to make sure that it won't allow users without password:

PermitEmptyPasswords no

also you can disable password authentication all together and allow only public key authentication:

PasswordAuthentication no
PubkeyAuthentication yes

Cheers,
K.
0
 
pma111Author Commented:
KeremE,

>>>Hi,
In fact it depends on what distro of Linux do you use...........
Please tell me your distro so that I'll try to help.


Can this be identified running the uname -a command?

Thanks
0
 
arnoldCommented:
more /etc/*release*
uname -a could be used to make an educated guess based on the reported kernel version (uname -r)
[kernel-version]-revision would usually suggest a RedHat/Centos.  RedHat/centos are setup Similar to Solaris to maintain the major version of applications for uniformity through out. I.e. a new version of the application will not be installed through patching, but the existing application will be "patched" if security issues etc apply.
0
 
pma111Author Commented:
Fao KeremE and others reading, the distribution is Red Hat Enterprise Linux
0
 
arnoldCommented:
/etc/redhat-release will tell which RHEL it is 2,3,4,5 etc.
RHN.redhat.com can be used to manage the installed packages/updates.
Depending on the version up2date might be used to keep the system up-to-date with the patches.  Kernel updates are often excluded from the automated process.  You would need to reconfigure up2date --configure or something like that.  Still it may depend on the version. Version 5 might use YUM as the update/package installer.
 
0
 
pma111Author Commented:
sorry version 5
0
 
arnoldCommented:
the /etc/redhat-release should tell you whether it is RHEL 5 5.1, 5.2 or 5.3.
RHEL 5 uses yum.

tail /var/log/yum.log will show you which packages were updated/installed when since the original install.
The original install data is in /root/install.log

yum update
yum upgrade
is eqiuvalent to downloading the MU or the Recommended patch cluster and then applying it.
yum update/upgrade [individual or a specific set of applications]
0
 
pma111Author Commented:
For red hat enterprise 5.0 where is the password policy file, i.e. the equivalents to:
/etc/security/passwd, /etc/default/password and /etc/default/profile?

I have /etc/shadow and /etc/passwd but nowhere in these files does it say the required password complexity rules etc.
0
 
woolmilkporcCommented:
Afaik RedHat uses pam_cracklib (/etc/pam.d/system_auth) to check passwords before they are changed.
Look at the docs:
There must be a "README.pam_cracklib" somewhere,  and there should be "/usr/share/doc/cracklib-xx" for the options you can set to require stronger passwords and such.
0
 
Kerem ERSOYPresidentCommented:
You can check password complexity using this command:

man pam_cracklib

Cheers,
K.
0
 
arnoldCommented:
http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-wstation-pass.html
look for the heading, "Forcing Strong Passwords" that include a reference to cracklib referenced by the earlier posters.
0
 
pma111Author Commented:
How abour identifying running services (ftp, telnet, chargen etc) in red hat LE? I dont have access to the Server so am having to request output of files and commands...

Thanks for the help...
0
 
woolmilkporcCommented:
chkconfig -l
(last block)
0
 
pma111Author Commented:
Can i confirm, the output of "man pam_cracklib" will show all passwords must have met this complexity, or is it any new passwords must meet this complexity, but old passwords may still be weak?
0
 
arnoldCommented:
netstat -an
look for LISTEN to identify which ports are being used
you can then use lsof -i:portnumber
to determine which application is bound to that port.
sestatus to see whether SELinux is enabled or not.
0
 
woolmilkporcCommented:
Check the actually defined rules in /etc/pam.d/passwd (or maybe /etc/pam.d/common-password)
Rules do only apply to new passwords, from the moment on when they're set.
0
 
pma111Author Commented:
thanks all...

on final question on reviewing /etc/shadow and /etc/pass...

I have 45 users, in /etc/passwd the final column which i think relates to the users shell account,  40 users 35 users have /sbin/nologin - does this mean they cannot login to the server?

for the remaining 10 users I have checked in the /etc/shadow/ file and most seem to have a password hash in the 2nd colum, but some have a * and some have !!.

Does star * mean account disabled?

What about !!?

If a user has !! in their passwords field, and access to bin/bash as shown in /etc/passwd can they login without a password?
0
 
woolmilkporcCommented:
Users with /sbin/nologin as their shell cannot login.
* is an invalid password - login by password is not possible (daemon, bin, sys etc.)
! means user cannot login at all (sshd and the like).
I can't say what "!!" might mean, but I think it's essentially the same as "!"
0
 
woolmilkporcCommented:
... one more thing
* - root can su to that user
! - no login at all (not even su by root)
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 8
  • 6
  • 6
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now